Federal Risk and Authorization Management Program (FedRAMP) report
This report displays FedRAMP issues found on your site. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.
Why it matters
The Federal Risk and Authorization Management Program (FedRAMP) provides a risk-based approach for the adoption and use of cloud services by making the following available to Executive departments and agencies:
- Standardized security requirements for the authorization and ongoing cybersecurity of cloud services for selected information system impact levels.
- A conformity assessment program capable of producing consistent independent, third-party assessments of security controls implemented by Cloud Service Providers (CSPs).
- Authorization packages of cloud services reviewed by a Joint Authorization Board (JAB) consisting of security experts from the DHS, DOD, and GSA.
- Standardized contract language to help Executive departments and agencies integrate FedRAMP requirements and best practices into acquisition; and
- A repository of authorization packages for cloud services that can be leveraged government-wide.
FedRAMP processes are designed to assist agencies in meeting FISMA requirements for cloud systems and addresses complexities of cloud systems that create unique challenges for complying with FISMA. The program streamlines federal agencies’ ability to make use of cloud service provider platforms and offerings.
OMB published a memo on December 8, 2011 that states that all low and moderate impact level cloud services leveraged by one or more office or agency must comply with FedRAMP requirements. FedRAMP commenced Initial Operating Capability (IOC) on June 6, 2012. Cloud systems in the acquisition phase as of June 6, 2012, but not yet implemented, had until June 5, 2014 to become FedRAMP compliant.
FedRAMP is governed by a Joint Authorization Board (JAB) comprised of the Chief Information Officers from the Department of Homeland Security (DHS), the General Services Administration (GSA), and the Department of Defense (DoD). The U.S. Government’s Chief Information Officer Council (CIOC), including its Information Security and Identity Management Committee (ISIMC), endorses FedRAMP. FedRAMP collaborates with the ISIMC as it identifies high-priority security and identity management initiatives and develops recommendations for policies, procedures, and standards to address those initiatives.
AppScan's FedRAMP compliance report automatically detects possible issues in your cloud service WEB Environment that might be relevant to your compliance with the FedRAMP baseline controls document. The FedRAMP security controls baseline is updating the NIST minimum security controls guideline with applicable parameters and modifications relevant and specific to cloud services.
| Control Number | Control |
|---|---|
| AC-4 | Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. |
| AC-6 | Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. |
| AC-7.A | Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period] |
| AC-10 | Limit the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number]. |
| AC-12 | Automatically terminate a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect] |
| AC-17.1 | The information system monitors and controls remote access methods. |
| CM-7 |
a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]. |
| IA-2 | Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. |
| IA-5 |
c. The organization manages information system authenticators for users and devices by ensuring that authenticators have sufficient strength of mechanism for their intended use. e. The organization manages information system authenticators for users and devices by changing default content of authenticators upon information system installation. |
| SC-5 | The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or reference to source for such information] by employing [Assignment: organization-defined security safeguards]. |
| SC-8 | The information system protects the [FedRAMP Assignment: confidentiality AND integrity] of transmitted information. |
| SC-13 |
The information system implements [FedRAMP Assignment: FIPS-validated or NSA-approved cryptography] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. |
| SC-23 | The information system protects the authenticity of communications sessions. |
| SI-3.A |
Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code. |
| SI-3.B |
The organization updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures. |
| SI-10 | The information system checks the validity of [Assignment: organization-defined information inputs]. |
| SI-11.A |
The information system, generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. |